1. General

The University of New Mexico (UNM) collects and maintains confidential information, including social security numbers (SSNs) of its students, staff, faculty and individuals associated with the University. UAP 2550 ("Information Security") describes the basic components of the UNM Information Security Program which applies to all employees (student, staff, and faculty), contractors, vendors, volunteers, and all other individuals who work with UNM data and information. This policy defines additional requirements applicable to SSNs. UNM recognizes the importance of the proper handling of SSNs in order to protect personal privacy and minimize the growing risks of fraud and identity theft. The Federal Privacy Act of 1974 (5 U.S.C. Sec. 552a) is the federal law that regulates the collection of SSNs. This law makes it illegal for federal, state or local government agencies to deny any rights, benefits or privileges to individuals who refuse to disclose their SSNs unless the disclosure is required by federal statute or the disclosure is to an agency for use in a record system which required the SSN before 1975. This Act applies to UNM. The Federal Privacy Act also requires that any agency that requests SSNs must inform individuals asked:

whether the disclosure is mandatory or voluntary;

what the authority is for requesting the SSN;

what uses will be made of the information; and

the consequences, if any, of failure to provide the information.

2. Collection of Social Security Numbers

Where IRS or other federal regulations require UNM to report SSN, we require individuals to provide us with that information.

2.1. Notification Statement

In all instances when UNM requests an individual to supply his/her SSN, it must indicate in writing:

whether the disclosure is mandatory or voluntary;

by what authority the number is requested;

the uses which will be made of it; and

the consequences, if any, of failure to provide the SSN. All statements must be approved in advance by the Office of University Counsel.

2.2. Employees

Employees are required to provide their SSNs on payroll/personnel, health insurance, and retirement forms.

2.3. Students

Students are required to provide their SSNs for admission, financial aid, and student housing contracts. Students unable to provide a SSN will be assigned an alternative number.

2.4. Patients

Patients of University Hospital and medical clinics are required to provide their SSNs on inpatient and outpatient registration forms.

2.5. Other Individuals

Other forms that request disclosure of SSNs, and proposals by departments to collect SSNs for any purpose must be approved in advance by Office of University Counsel. The provision of SSNs in such cases must be strictly voluntary and individuals who decline to disclose the number may not be denied any rights, benefits or privileges.

3. Disclosure of SSNs by UNM

An individual's SSN is personal information and shall not be released by UNM to outside individuals or entities, except:

as allowed or required by law;

when permission is granted by the individual;

when the outside individual or entity is acting as UNM's contractor or agent and appropriate security measures are in place to prevent unauthorized dissemination to third parties; or

when the Office of University Counsel has approved the release.

4. UNM Identification Numbers

UNM does not use SSNs as primary identifiers for students or employees. Any exception must be approved in writing by the cognizant vice president and the University Chief Information Officer (CIO). Students and employees are assigned a unique randomly-generated identification number to allow access to records and to transact business with UNM. These numbers remain the property of, and are subject to, UNM's rules. UNM identification numbers are not accorded the same confidential status as SSNs.

5. Use of SSNs

The following guidelines must be followed by UNM employees with access to SSNs:

SSNs will be transmitted electronically only through secure mechanisms as determined by ITS;

paper and electronic documents containing SSNs will be disposed of in a secure fashion; and

student grades and other pieces of personal information will not be publicly posted or displayed using either the complete or partial SSN for identification purposes.

6. Report Collection, Use, and/or Storage of SSNs

Departments that collect, use and/or store SSNs must submit a report to the University Information Security Officer documenting the reason for collection, the handling processes in place to ensure protection of SSNs, and the notification statement required by Section 2.1. herein. Reports must be made no later than September 30, 2008, or within ninety (90) days of beginning collection, use, and/or storage of SSNs, whichever is later. In addition, departments must review SSN procedures annually and report any changes to the University Information Security Officer.